Michael Owen wrote:
>> Stuart Gilchrist-Thomas dijo:
>>
>>> Hi,
>>>
>>> Does anyone have any pointers to evidence or advice on hiding or
>>> reducing the detection of VM honey pots. I know of temporal issues
>>> e.g. Timing metrics can give away a VM, and that you can manually
>>> alter peripheral identities e.g. virtual network cards etc.
>>>
>> I've also
>>
>>> created a company to purchase ip and hosting space to ensure a form
>>> of identity in depth. But I still lack experience in preventing
>>> detection. Can you help? Are you my only hope? ;)
>>>
>> Why hide the fact that the honeypot is running on VM? After all, many
>> environments in production (@datacenters) are running over VM. Those
>> intruders that think that VM == honeypot will change their
>> mindset soon.
>>
>> Regards
>>
>> Javier
>>
>>
>
> As Javier says, I'd go the complete other direction. If you're running VMware, install the VMware Tools (as they would be on a normal guest). Don't rename the PCI devices, as you'd be unlikely to ever do that in a real production environment. Assume that there is no way to hide the fact that is in a VM, and make it look like a real VM. Many VMs tend to be specialized in what service they provide, so make sure that your Honey VMs are doing that. You wouldn't have a normal production machine serving up http, smtp and smb, so don't make your Honey VM do that. Make it look just like a real production VM.
>
> Mike
>
Good points Mike, thanks. My query was blended towards Malware analysis
and it's detection of it's environment too. I like your points though,
so would VM Workstations and GSX server appear the same from any
"leaked" VM signatures? I only have access to a licenced version of
VMWare workstation.